{"id":14328,"date":"2025-06-18T13:10:46","date_gmt":"2025-06-18T13:10:46","guid":{"rendered":"\/cybersecurity-blog\/?p=14328"},"modified":"2025-06-19T05:42:21","modified_gmt":"2025-06-19T05:42:21","slug":"cyber-threat-hunting-tips","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/","title":{"rendered":"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0"},"content":{"rendered":"\n<p><em><strong>Editor\u2019s note<\/strong>:&nbsp;The current article is authored by Clandestine, threat researcher and threat hunter. You can&nbsp;<\/em><a href=\"https:\/\/x.com\/akaclandestine\" target=\"_blank\" rel=\"noreferrer noopener\"><em>find Clandestine on X<\/em><\/a><em>.<\/em><\/p>\n\n\n\n<p>Threat actors today are continuously developing sophisticated techniques to evade traditional detection methods. ANY.RUN\u2019s <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> offers advanced capabilities for threat data gathering and analysis. As a specialized search engine, it allows security analysts to query <a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">various indicators<\/a> of compromise (IOCs), behaviors (IOBs), and attacks (IOAs), providing valuable insights into real-world malware activity observed in sandboxed environments.&nbsp;&nbsp;<\/p>\n\n\n\n<p>We shall review several advanced threat hunting techniques using <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s TI Lookup to provide cybersecurity researchers and threat intelligence analysts of <a href=\"https:\/\/any.run\/cybersecurity-blog\/expertware-success-story\/\" target=\"_blank\" rel=\"noreferrer noopener\">SOC and MSSP teams<\/a> with effective strategies to identify and analyze various types of threats.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Intelligence Lookup Key Capabilities&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"602\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-1024x602.png\" alt=\"\" class=\"wp-image-14385\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-1024x602.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-768x452.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-1536x904.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2-740x435.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/ti_lookup_main-2.png 1829w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>You can<\/em><strong><em> <\/em><\/strong><em>start exploring TI Lookup with 50 trial requests<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> provides analysts with access to a vast malware database topped up by over 500,000 users of the Interactive Sandbox, including <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\" target=\"_blank\" rel=\"noreferrer noopener\">15,000 corporate SOC teams<\/a>. A single search request can deliver hundreds of relevant analysis sessions, malware samples, or indicators for further research and refining the results with more specific queries.\u00a0<\/p>\n\n\n\n<p>Besides the ability to instantly get a verdict and context on a potential indicator of compromise, TI Lookup offers a number of functions that enable effective threat hunting and analysis:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IOC Lookups<\/strong>: Detailed searches of various indicators of compromise, including IP addresses, file hashes, URLs, and domain names.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Behavioral Lookups<\/strong>: Beyond traditional IOCs, the service enables searches based on behavioral indicators, such as registry modifications, process activities, network communications, and mutex creations. It is particularly effective for identifying unknown or emerging threats that may not have established IOCs.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>MITRE Techniques Detection<\/strong>: The <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-ttps-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">incorporation of the MITRE ATT&amp;CK<\/a> framework allows analysts to search for specific tactics, techniques, and procedures (TTPs) used by threat actors. This capability facilitates a more structured and comprehensive approach to threat hunting.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>File\/Event Correlation<\/strong>: The ability to correlate files and events helps analysts identify relationships between different components of an attack and understand the broader context of malicious activities.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>YARA-based Threat Hunting<\/strong>: This capability allows for highly specific searches based on file characteristics and patterns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Wildcards and Logical Operators<\/strong>: The search supports various wildcards and logical operators for the construction of complex and precise queries.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The sophisticated query syntax of Threat Intelligence Lookup supports over 40 parameters, allowing for highly specific and contextualized searches. The basic structure of a query typically includes a parameter, a colon, and a value, often enclosed in quotation marks (e.g., submissionCountry:&#8221;us&#8221; ).&nbsp;<\/p>\n\n\n\n<p>Logical <a href=\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">operators<\/a> play a crucial role in constructing effective queries:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>AND <\/strong>operator requires both conditions to be true.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>OR <\/strong>operator requires at least one condition to be.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>NOT<\/strong> operator excludes results that match a specific condition.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Parentheses <\/strong>can be used to group conditions and establish precedence.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/search-operators-and-wildcards-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Wildcards<\/a> and special characters enhance the flexibility of queries:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The asterisk <strong>(*) <\/strong>represents any number of characters.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The question mark <strong>(?)<\/strong> represents a single character.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The caret<strong> (^)<\/strong> matches the beginning of a string.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The dollar sign <strong>($)<\/strong> matches the end of a string.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The search parameter set covers various aspects of threat analysis, including file properties (e.g., fileExtension, filePath), process activities (e.g., commandLine, imagePath), network communications (e.g., destinationIp, URL), registry operations (e.g., registryKey, registryValue), and threat classifications (e.g., threatName, threatLevel).&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Tasks Solved by Threat Intelligence Lookup&nbsp;<\/h2>\n\n\n\n<p>Threat Intelligence Lookup is used by security teams worldwide to detect, prioritize, and contain threats faster. With TI Lookup, your SOC can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Speed Up Incident Response<\/strong>: Flexible queries across 40+ IOCs, IOAs, and IOBs with 2-second response times and exclusive indicators enable SOC teams to quickly investigate and mitigate incidents, slashing Mean Time to Respond (MTTR) and minimizing damage.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enhance Alert Triage with Contextual Insights<\/strong>: An extensive database of indicators on the latest attacks provides analysts with quick insights into any artifact, letting them enrich alerts, pin them to threats, and prioritize critical incidents.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Accelerate Threat Detection and Containment<\/strong>: Query Updates subscriptions and proactive searches using network artifacts help uncover hidden threats, allowing SOC teams to detect, escalate, and mitigate attacks early, preventing spread and protecting business operations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nUncover critical threat context for faster triage and response<br>with <span class=\"highlight\">ANY.RUN&#8217;s Threat Intelligence Lookup<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=threat_hunting_tips&#038;utm_term=180625&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nGet 50 trial requests\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Now let\u2019s see how this architecture works on a number of hands-on use cases of peculiar threat hunting tasks.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Country-based Threat Detection&nbsp;<\/h2>\n\n\n\n<p>Geographic analysis of threats provides valuable insights into the origin and distribution of malicious activities. ANY.RUN\u2019s TI Lookup enables country-based threat detection through the submissionCountry parameter, which can be combined with other parameters to create highly specific queries. Many organizations that employ TI Lookup in their SOC, <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-transport-company-monitors-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">utilize this feature<\/a>.&nbsp;<\/p>\n\n\n\n<p>Geographic threat analysis typically involves identifying submissions from specific countries and filtering them based on threat levels, threat names, or behavioral indicators. This approach helps security analysts understand regional threat landscapes, identify country-specific attack campaigns, and establish geopolitical context for observed threats.&nbsp;<\/p>\n\n\n\n<p>Several example queries demonstrate the application of country-based threat detection. &nbsp;<\/p>\n\n\n\n<p>The query below targets phishing attacks originating from Brazil. By combining the submissionCountry parameter with the threatName parameter, it focuses on a specific type of threat within a geographic context.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522submissionCountry:%255C%2522br%255C%2522%2520AND%2520threatName:%255C%2522phishing%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">submissionCountry:&#8221;br&#8221; AND threatName:&#8221;phishing&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"609\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5-1024x609.png\" alt=\"\" class=\"wp-image-14341\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5-1024x609.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5-768x457.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5-370x220.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5-740x440.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-5.png 1035w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Samples of phishing added to the Sandbox by users from Brazil<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This approach helps identify regional trends in phishing campaigns, which may target local institutions or use language-specific social engineering techniques.&nbsp;<\/p>\n\n\n\n<p>The next identifies malicious submissions from India that involve <a href=\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell commands<\/a>. It combines geographic filtering with a behavioral indicator and threat classification, providing a more comprehensive view of specific attack methodologies within a regional context.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522submissionCountry:%255C%2522in%255C%2522%2520AND%2520commandLine:%255C%2522powershell%255C%2522%2520AND%255Cr%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">submissionCountry:&#8221;in&#8221; AND commandLine:&#8221;powershell&#8221; AND threatLevel:&#8221;malicious&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"832\" height=\"530\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-5.png\" alt=\"\" class=\"wp-image-14342\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-5.png 832w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-5-300x191.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-5-768x489.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-5-370x236.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-5-270x172.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-5-740x471.png 740w\" sizes=\"(max-width: 832px) 100vw, 832px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious samples from Indian users containing PowerShell commands<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This approach is particularly valuable for identifying sophisticated attacks that leverage legitimate system tools like PowerShell.&nbsp;<\/p>\n\n\n\n<p>Country-based threat detection can be further enhanced by analyzing temporal patterns, comparing threat distributions across different regions, and correlating geographic data with other threat indicators. This multidimensional approach provides a more comprehensive understanding of the global threat landscape and helps security teams prioritize their defensive efforts based on regional risk profiles.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. MITRE Technique-Focused Queries&nbsp;<\/h2>\n\n\n\n<p>TI Lookup incorporates this framework through the MITRE parameter, enabling highly specific searches based on known attack techniques.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Command and Script Execution (T1059)&nbsp;<\/h3>\n\n\n\n<p>Command and script execution involves the use of command-line interfaces or scripting languages to execute commands, scripts, or binaries. This technique is commonly used by threat actors for various purposes, including initial access, execution, and persistence. The following query targets this technique:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522MITRE:%255C%2522T1059%255C%2522%2520AND%2520(commandLine:%255C%2522powershell%255C%2522%2520OR%255Cr%2520imagePath:%255C%2522mshta.exe%255C%2522)%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE:&#8221;T1059&#8243; AND (commandLine:&#8221;powershell&#8221; OR imagePath:&#8221;mshta.exe&#8221;)<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"594\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6-1024x594.png\" alt=\"\" class=\"wp-image-14344\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6-1024x594.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6-300x174.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6-768x446.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6-370x215.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6-740x429.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-6.png 1060w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Endpoint events with script and application calls linked to malware samples<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Here we identify submissions that exhibit command and script execution behavior, as defined by the MITRE technique T1059, and involve either PowerShell commands or the Microsoft HTML Application Host (mshta.exe). The combination of the MITRE parameter with specific command-line or image path indicators provides insights into how threat actors leverage legitimate system tools for malicious purposes.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1824\" height=\"516\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2.png\" alt=\"\" class=\"wp-image-14358\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2.png 1824w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2-300x85.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2-1024x290.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2-768x217.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2-1536x435.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2-370x105.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2-270x76.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image10-2-740x209.png 740w\" sizes=\"(max-width: 1824px) 100vw, 1824px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup returns hundreds of relevant results, including numerous sandbox sessions<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This example also gives us a representation of TI Lookup\u2019s search volume and comprehensiveness: it can deliver hundreds and thousands of relevant malware samples, indicators, artifacts, and other types of data. An analyst can limit and refine the search employing the parameters and setting, for instance, changing the search period (circled on the screenshot) from the minimum of one day to the maximum of 180 days.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Registry-Based Persistence (T1547)&nbsp;<\/h3>\n\n\n\n<p>Registry-based persistence involves modifying the Windows Registry to ensure that malware runs automatically when the system starts or when specific conditions are met. This technique is commonly used by threat actors to maintain access to compromised systems. The following query targets this technique:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522MITRE:%255C%2522T1547%255C%2522%2520AND%2520registryKey:%255C%2522CurrentVersion%255C%255C%255C%255CRun%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE:&#8221;T1547&#8243; AND registryKey:&#8221;CurrentVersion\\\\Run&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"893\" height=\"525\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-4.png\" alt=\"\" class=\"wp-image-14359\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-4.png 893w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-4-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-4-768x452.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-4-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-4-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-4-740x435.png 740w\" sizes=\"(max-width: 893px) 100vw, 893px\" \/><figcaption class=\"wp-element-caption\"><em>Search results for malware changing Windows registry<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies submissions that exhibit registry-based persistence behavior, as defined by the MITRE technique T1547, and specifically target the Run key in the Windows Registry. This key is commonly used for persistence, as any executable listed here will run automatically when a user logs in.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advanced MITRE Correlation&nbsp;<\/h3>\n\n\n\n<p>Advanced threat hunting often involves correlating multiple MITRE techniques to identify sophisticated attack patterns. The following query illustrates this approach:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522MITRE:%255C%2522T1055%255C%2522%2520AND%2520MITRE:%255C%2522T1547%255C%2522%2520AND%2520MITRE:%255C%2522T1082%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE:&#8221;T1055&#8243; AND MITRE:&#8221;T1547&#8243; AND MITRE:&#8221;T1082&#8243;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"931\" height=\"562\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-4.png\" alt=\"\" class=\"wp-image-14360\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-4.png 931w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-4-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-4-768x464.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-4-370x223.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-4-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-4-740x447.png 740w\" sizes=\"(max-width: 931px) 100vw, 931px\" \/><figcaption class=\"wp-element-caption\"><em>Malware strains and types combining several attack techniques<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies submissions that exhibit three distinct MITRE techniques: process injection (T1055), registry-based persistence (T1547), and system information discovery (T1082).&nbsp;<\/p>\n\n\n\n<p>The correlation of these techniques suggests a sophisticated attack that injects code into legitimate processes, establishes persistence through registry modifications, and attempts to collect information about the system.&nbsp;&nbsp;<\/p>\n\n\n\n<p>MITRE technique-focused queries can be further enhanced by incorporating additional parameters related to file properties, network communications, or threat classifications. This multidimensional approach provides a more comprehensive understanding of how specific techniques are implemented in real-world attacks and helps security teams develop more effective detection and mitigation strategies.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Obfuscated File Behavior Detection&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/6-common-obfuscation-methods-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">Obfuscation<\/a> is a common technique used by malware authors to hide malicious code and evade analysis. ANY.RUN TI Lookup enables the detection of various obfuscation techniques through specialized queries that focus on file behaviors and characteristics.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Executables in Non-Standard Directories&nbsp;<\/h3>\n\n\n\n<p>Malware often places executable files in non-standard directories to avoid detection and blend in with legitimate system files. The following query targets this behavior:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522fileExtension:%255C%2522exe%255C%2522%2520AND%2520NOT%2520filePath:%255C%2522Windows*%255C%2522%2520AND%2520NOT%255Cr%2520filePath:%255C%2522Program%2520Files*%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">fileExtension:&#8221;exe&#8221; AND NOT filePath:&#8221;Windows*&#8221; AND NOT filePath:&#8221;Program Files*&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"736\" height=\"590\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-5.png\" alt=\"\" class=\"wp-image-14361\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-5.png 736w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-5-300x240.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-5-370x297.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-5-270x216.png 270w\" sizes=\"(max-width: 736px) 100vw, 736px\" \/><figcaption class=\"wp-element-caption\"><em>Samples with executable files in directories except for the queried<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies executable files (.exe) that are not located in the standard Windows or Program Files directories. The combination of the fileExtension parameter with negative conditions for standard file paths helps security analysts identify potentially suspicious executables that may be attempting to hide in unusual locations.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Script-Based Obfuscation&nbsp;<\/h3>\n\n\n\n<p>Script-based obfuscation involves the use of scripting languages to hide malicious code or execute obfuscated commands. The following query targets this behavior:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%7B%2522query%2522:%2522commandLine:%255C%2522powershell%255C%2522%2520and%2520fileExtension:%255C%2522js%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;powershell&#8221; and fileExtension:&#8221;js&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"564\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5-1024x564.png\" alt=\"\" class=\"wp-image-14362\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5-1024x564.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5-768x423.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5-740x408.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-5.png 1055w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>JavaScript files executing PowerShell commands<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies JavaScript (.js) files that execute PowerShell commands (you can also search for other script types, like Visual Basic Script (.vbs) files). This pattern is commonly observed in multi-stage attacks where script files are used as initial droppers that subsequently execute obfuscated PowerShell commands. The combination of file extension parameters with command-line indicators helps security analysts identify and analyze this obfuscation technique.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Persistence and Mutex Creation&nbsp;<\/h2>\n\n\n\n<p>Persistence mechanisms and mutex creation are common techniques used by malware to maintain access to compromised systems and ensure that only one instance of the malware is running at a time.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mutexes<\/a> can be explored with the aid of Object parameters:&nbsp;<br>&nbsp;<br><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522syncObjectName:%255C%2522rmc%255C%2522%2522,%2522dateRange%2522:30%257D\" target=\"_blank\" rel=\"noreferrer noopener\">syncObjectName:&#8221;rmc&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"545\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5-1024x545.png\" alt=\"\" class=\"wp-image-14369\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5-1024x545.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5-768x409.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5-370x197.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5-740x394.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-5.png 1055w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox samples that create a mutex<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies submissions that contain a mutex (a synchronization object often used by malware to ensure single-instance execution) with the name \u201crmc\u201d. TI Lookup provides numerous analysis results, demonstrating that this mutex belongs to the <a href=\"https:\/\/any.run\/malware-trends\/remcos\/\" target=\"_blank\" rel=\"noreferrer noopener\">Remcos<\/a> trojan.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This approach helps security analysts identify sophisticated malware based on artifacts found in system logs. Further analysis of persistence and mutex creation can involve examining the specific values written to registry keys, analyzing the naming conventions of mutexes, and correlating these indicators with other malicious behaviors.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. Domain Generation Algorithm (DGA) Detection&nbsp;<\/h2>\n\n\n\n<p>Domain Generation Algorithms (DGAs) are techniques used by malware to dynamically generate domain names for command and control (C2) communication. This approach helps malware evade detection and blocking by constantly changing the domains used for communication. ANY.RUN TI Lookup enables the detection of DGA-based malware through specialized queries that focus on domain characteristics and communication patterns.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Random TLD with Active Communication&nbsp;<\/h3>\n\n\n\n<p>DGA-generated domains often use uncommon or cheaper top-level domains (TLDs) to reduce costs and avoid detection. The following query targets this behavior:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522domainName:%255C%2522*.top%255C%2522%2520OR%2520domainName:%255C%2522*.xyz%255C%2522%2520AND%2520(destinationPort:%255C%252280%255C%2522%2520OR%2520destinationPort:%255C%2522443%255C%2522)%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;<em>.top&#8221; OR domainName:&#8221;<\/em>.xyz&#8221; AND (destinationPort:&#8221;80&#8243; OR destinationPort:&#8221;443&#8243;) AND threatLevel:&#8221;malicious&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-1024x578.png\" alt=\"\" class=\"wp-image-14351\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-1536x867.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image11-2.png 1829w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Domains utilizing cheap-TLD domains found across analyses of malicious samples<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies malicious submissions that communicate with domains using the .top or .xyz TLDs over HTTP (port 80) or HTTPS (port 443). These TLDs are relatively inexpensive and are commonly used in DGA implementations. The combination of domain name patterns, communication ports, and threat classification helps security analysts identify potential DGA-based malware.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Domain Name Patterns&nbsp;<\/h3>\n\n\n\n<p>This query identifies submissions that communicate with domains <a href=\"https:\/\/any.run\/cybersecurity-blog\/cloudflare-phishing-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">deployed on Cloudflare Workers.<\/a> This is a common way for attackers to host phishing pages: &nbsp;<br>&nbsp;<br><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522domainName:%255C%2522.workers.dev%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;.workers.dev&#8221; AND threatLevel:&#8221;malicious&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-1024x586.png\" alt=\"\" class=\"wp-image-14352\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-1536x878.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1-740x423.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image12-1.png 1824w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup provided over 300 phishing domains hosted on Cloudflare Workers<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Known DGA Families&nbsp;<\/h3>\n\n\n\n<p>Certain malware families are known to use specific DGA implementations. The following query targets these associations:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522(threatName:%255C%2522redline%255C%2522%2520OR%2520threatName:%255C%2522lumma%255C%2522)%2520AND%2520domainName:%255C%2522.%255C%2522%2520AND%2520destinationIpAsn:%255C%2522cloudflare%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">(threatName:&#8221;redline&#8221; OR threatName:&#8221;lumma&#8221;) AND domainName:&#8221;.&#8221; AND destinationIpAsn:&#8221;cloudflare&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"931\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-2.png\" alt=\"\" class=\"wp-image-14364\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-2.png 931w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-2-300x193.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-2-768x495.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-2-370x238.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-2-270x174.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-2-740x477.png 740w\" sizes=\"(max-width: 931px) 100vw, 931px\" \/><figcaption class=\"wp-element-caption\"><em>Malware of known families that abuses legitimate CDN services<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies submissions associated with <a href=\"https:\/\/any.run\/malware-trends\/redline\/\" target=\"_blank\" rel=\"noreferrer noopener\">RedLine<\/a> or <a href=\"https:\/\/any.run\/malware-trends\/lumma\/\" target=\"_blank\" rel=\"noreferrer noopener\">Lumma<\/a> malware families that communicate with any domain resolved to Cloudflare&#8217;s infrastructure. These malware families are known to use DGAs, and the correlation with Cloudflare ASN (Autonomous System Number) may indicate attempts to hide behind legitimate CDN services. This approach helps security analysts identify specific malware families that employ DGAs for C2 communication.&nbsp;<\/p>\n\n\n\n<p>DGA detection can be further enhanced by analyzing temporal patterns of domain generation, examining the linguistic characteristics of generated domains, and correlating domain communications with other malicious behaviors.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6. Malware Family Behavior Queries&nbsp;<\/h2>\n\n\n\n<p>Different malware families exhibit distinct behavioral patterns that can be used for identification and analysis. ANY.RUN TI Lookup enables the detection of specific malware families through queries that target their characteristic behaviors.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Formbook&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/formbook\/\" target=\"_blank\" rel=\"noreferrer noopener\">Formbook<\/a> is a data-stealing malware that captures screenshots, logs keystrokes, and steals data from web browsers.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522threatName:%255C%2522formbook%255C%2522%2520OR%2520(MITRE:%255C%2522T1055%255C%2522%2520AND%2520registryKey:%255C%2522Windows%255C%255C%255C%255CCurrentVersion%255C%255C%255C%255CRun%255C%2522%2520AND%2520fileExtension:%255C%2522exe%255C%2522)%2520OR%2520(URL:%255C%2522*.php%255C%2522%2520AND%2520httpRequestContentType:%255C%2522application\/x-www-form-urlencoded%255C%2522)%2522,%2522dateRange%2522:7%257D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;formbook&#8221; OR (MITRE:&#8221;T1055&#8243; AND registryKey:&#8221;Windows\\\\CurrentVersion\\\\Run&#8221; AND fileExtension:&#8221;exe&#8221;) OR (URL:&#8221;*.php&#8221; AND httpRequestContentType:&#8221;application\/x-www-form-urlencoded&#8221;)<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-1024x566.png\" alt=\"\" class=\"wp-image-14365\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-1536x850.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image13-2.png 1853w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox analyses of fresh Formbook samples found via TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies submissions explicitly classified as Formbook or exhibiting behaviors characteristic of this malware family, including process injection (MITRE T1055) combined with Run registry modifications and executable files, or communication with PHP endpoints using specific content types. These indicators collectively provide strong evidence of Formbook activity.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AsyncRAT&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/asyncrat\/\" target=\"_blank\" rel=\"noreferrer noopener\">AsyncRAT<\/a> is a remote access trojan that provides attackers with full control over infected systems.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522threatName:%255C%2522asyncrat%255C%2522%2520and%2520commandLine:%255C%2522mshta.exe%255C%2522%2520OR%2520commandLine:%255C%2522powershell%255C%2522%2522,%2522dateRange%2522:30%257D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;asyncrat&#8221; and commandLine:&#8221;mshta.exe&#8221; OR commandLine:&#8221;powershell&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-1024x578.png\" alt=\"\" class=\"wp-image-14366\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-1536x867.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image14-1.png 1844w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>AsyncRAT samples found via typical behavior<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query identifies submissions explicitly classified as AsyncRAT or exhibiting behaviors characteristic of this malware family, including the use of mshta.exe or PowerShell.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Malware family behavior queries can be further enhanced by incorporating additional indicators specific to each family, analyzing temporal evolution of behaviors, and correlating family-specific indicators with broader threat intelligence. This comprehensive approach provides deeper insights into malware family behaviors and helps security teams develop more effective detection and mitigation strategies.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7. Thematic Search Query Updates&nbsp;<\/h2>\n\n\n\n<p>TI Lookup lets you subscribe to receive updates on your <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-lookup-notifications\/\" target=\"_blank\" rel=\"noreferrer noopener\">custom search queries<\/a>. For example, you can focus on specific malware families, enabling more efficient and targeted threat hunting.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Credential Stealers&nbsp;<\/h3>\n\n\n\n<p>Credential stealing is a common objective for various malware families. The following query targets three popular credential stealers Redline, Lumma, and Formbook that access the Security Account Manager (SAM) registry key, which stores user account information.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolookup#%257B%2522query%2522:%2522threatName:%255C%2522redline%255C%2522%2520OR%2520threatName:%255C%2522lumma%255C%2522%2520OR%2520threatName:%255C%2522formbook%255C%2522%2520AND%2520registryKey:%255C%2522SAM%255C%255C%255C%255C%255C%2522%2522,%2522dateRange%2522:180%257D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;redline&#8221; OR threatName:&#8221;lumma&#8221; OR threatName:&#8221;formbook&#8221; AND registryKey:&#8221;SAM\\\\&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"289\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-1024x289.png\" alt=\"\" class=\"wp-image-14357\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-1024x289.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-300x85.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-768x217.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-1536x434.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-370x104.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-270x76.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1-740x209.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image15-1.png 1827w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>You can subscribe to query updates via the bell icon on the right<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>By subscribing to this query, we\u2019ll receive updates each time new search results become available in TI Lookup. This thematic approach helps security analysts focus specifically on threats targeting credentials, regardless of the specific malware family involved.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>We have reviewed a number of advanced threat hunting techniques using ANY.RUN TI Lookup. &nbsp;<\/p>\n\n\n\n<p>Through detailed exploration of various query methodologies, including country-based threat detection, MITRE technique-focused queries, obfuscated file behavior detection, persistence mechanisms, domain generation algorithm detection, and malware family behavior analysis, the research demonstrates the power and flexibility of query-based threat intelligence in modern security operations.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The correlation of different indicators through logical operators and grouping enhances detection precision and reduces false positives, allowing security analysts to focus their efforts on the most relevant threats.&nbsp;&nbsp;<\/p>\n\n\n\n<p>By focusing on specific threat categories and leveraging advanced query techniques, security teams can develop more efficient and effective threat detection strategies.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a><strong> and&nbsp;<\/strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Feeds<\/strong><\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=threat_hunting_tips&amp;utm_term=180625&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request trial of ANY.RUN\u2019s services to test them in your organization \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The current article is authored by Clandestine, threat researcher and threat hunter. You can&nbsp;find Clandestine on X. Threat actors today are continuously developing sophisticated techniques to evade traditional detection methods. ANY.RUN\u2019s Threat Intelligence Lookup offers advanced capabilities for threat data gathering and analysis. As a specialized search engine, it allows security analysts to query [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":14337,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,34],"class_list":["post-14328","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn actionable threat hunting techniques to proactively identify malware hidden inside your infrastructure and enrich your defense with fresh IOCs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Clandestine\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/\"},\"author\":{\"name\":\"Clandestine\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0\",\"datePublished\":\"2025-06-18T13:10:46+00:00\",\"dateModified\":\"2025-06-19T05:42:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/\"},\"wordCount\":2881,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/\",\"name\":\"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-06-18T13:10:46+00:00\",\"dateModified\":\"2025-06-19T05:42:21+00:00\",\"description\":\"Learn actionable threat hunting techniques to proactively identify malware hidden inside your infrastructure and enrich your defense with fresh IOCs.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Clandestine\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg\",\"caption\":\"Clandestine\"},\"description\":\"Threat Research and Threat Hunter Follow me on X\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn actionable threat hunting techniques to proactively identify malware hidden inside your infrastructure and enrich your defense with fresh IOCs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/","twitter_misc":{"Written by":"Clandestine","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/"},"author":{"name":"Clandestine","@id":"https:\/\/any.run\/"},"headline":"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0","datePublished":"2025-06-18T13:10:46+00:00","dateModified":"2025-06-19T05:42:21+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/"},"wordCount":2881,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/","url":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/","name":"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-06-18T13:10:46+00:00","dateModified":"2025-06-19T05:42:21+00:00","description":"Learn actionable threat hunting techniques to proactively identify malware hidden inside your infrastructure and enrich your defense with fresh IOCs.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-hunting-tips\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Threat Hunting: Hands-on Tips for SOC Analysts and MSSPs\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Clandestine","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/QMUn70Ag_400x400.jpg","caption":"Clandestine"},"description":"Threat Research and Threat Hunter Follow me on X","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14328"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=14328"}],"version-history":[{"count":18,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14328\/revisions"}],"predecessor-version":[{"id":14388,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14328\/revisions\/14388"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/14337"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=14328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=14328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=14328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}